This is a static archive of our old Q&A Site. Please post any new questions and answers at ask.wireshark.org.

tshark and tcpreplay together?

0

I've got a python script that launches tshark and then uses tcpreplay to inject packets onto a small network. After tshark stops capturing and writes a pcap to disk, I attempt to use another tshark call to translate that capture to text for parsing. This last bit doesn't work. I see 'tshark: Unrecognized libpcap format' on screen. Code looks like this:

# Capture and Translate calls for tshark
tsharkCapture =  shlex.split("tshark -a duration:%s -i %s -F libpcap -w %s" % (10, "eth0", "result.pcap"))
tsharkTranslate = shlex.split("tshark -i - -V")

Replay call for tcpreplay


tcpreplayCall = shlex.split("tcpreplay –intf1 %s –enable-file-cache –timer=gtod –quiet –loop=%s –pps=%s %s" % ("eth0", 1, 1, "replay.pcap"))


start up tshark to generate a pcap file, which will (hopefully!) hold the relevant traffic


tsharkProc = subprocess.Popen(tsharkCapture, bufsize=0)


snooze a bit, launch the replay file


time.sleep(1)
tcpreplayProc = subprocess.Popen(tcpreplayCall)


wait for the tshark capture process to terminate


tsharkProc.poll()
while tsharkProc.returncode == None:
time.sleep(0.1)
tsharkProc.poll()


translate the pcap capture to a txt file


tsharkProc = subprocess.Popen(tsharkTranslate,
stdin=open("result.pcap", "rb"),
stdout=open("result.txt", "wb"))


wait for the translation process to terminate


tsharkProc.poll()
while tsharkProc.returncode == None:
time.sleep(0.1)
tsharkProc.poll()

The calls themselves appear correct. Tshark captures, tcpreplay replays ‘replay.pcap’, tshark writes ‘result.pcap’ to file, and this file contains what it should. ‘result.txt’ is empty however.

If (just to see) I replace ‘result.pcap’ with ‘replay.pcap’ in the translate call, there is no error, and ‘result.txt’ has what I expect. If I comment out the replay launch (with ‘result.pcap’ in the translate call), there is again no error, and ‘result.txt’ has what I would expect.

It really looks like the issue is with running tshark, then tcpreplay, and finally tshark to translate to text–all those things together.

I would be happy to have the first tshark call write the ‘result.txt’ file directly rather than using a second call to write it out, but I haven’t had luck with that either.

I can open ‘result.pcap’ with Wireshark and export the file to text without any issues.

FYI ‘replay.pcap’ is generated using text2pcap, from this:

0000  00 40 ae 00 47 e3 00 02 b3 11 11 11 00 14 82 82  End
0010  03 01 04 02 73 21 0e 0c 02 00 21 98 1e 09 4c 19  End
0020  00 1f                                            End

What am I doing wrong?

asked 25 Sep ‘13, 11:23

ozymandias's gravatar image

ozymandias
11113
accept rate: 0%

If (just to see) I replace ‘result.pcap’ with ‘replay.pcap’ in the translate call, there is no error,

what is the output of the following commands:

capinfos result.pcap
file result.pcap
od -x result.pcap | head 20

(25 Sep ‘13, 12:44) Kurt Knochner ♦
File name:           result.pcap
File type:           Wireshark - pcapng
File encapsulation:  Ethernet
Packet size limit:   file hdr: (not set)
Number of packets:   11
File size:           2000 bytes
Data size:           1379 bytes
Capture duration:    1 seconds
Start time:          Wed Sep 25 10:09:44 2013
End time:            Wed Sep 25 10:09:46 2013
Data byte rate:      1029.07 bytes/sec
Data bit rate:       8232.57 bits/sec
Average packet size: 125.36 bytes
Average packet rate: 8.21 packets/sec
SHA1:                bf0ded3960a96ab06573dafdd6eb9f8a98ae5012
RIPEMD160:           6df5adfe55ef1f6b45341788bf8304e3b634b76f
MD5:                 7e6659c259afd6303683c265f5e5d316
Strict time order:   True
(25 Sep ‘13, 12:51) ozymandias

That was capinfos above.

file result.pcap gives: result.pcap pcap-ng capture file - version 1.0

od -x result.pcap | head 20 (20 had to be left off)

0000000 0d0a 0a0d 0050 0000 3c4d 1a2b 0001 0000
0000020 ffff ffff ffff ffff 0003 0015 694c 756e
0000040 2078 2e33 2e32 2d30 2d34 3836 2d36 6170
0000060 0065 0000 0004 000d 7544 706d 6163 2070
0000100 2e31 2e38 0032 0000 0000 0000 0050 0000
0000120 0001 0000 0044 0000 0001 0000 ffff 0000
0000140 0002 0004 7465 3068 0009 0001 0006 0000
0000160 000c 0015 694c 756e 2078 2e33 2e32 2d30
0000200 2d34 3836 2d36 6170 0065 0000 0000 0000
0000220 0044 0000 0006 0000 005c 0000 0000 0000

(25 Sep '13, 13:12) ozymandias

One Answer:

0
File name:           result.pcap
File type:           Wireshark - pcapng

O.K. capinfos shows it's a pcap-ng file.

I see 'tshark: Unrecognized libpcap format' on screen.

well, the error must be related to the way you run tshark.

Why do you call it this way

tsharkTranslate = shlex.split("tshark -i - -V")

and not this way:

tsharkTranslate = shlex.split("tshark -nr result.pcap -V") 
tsharkProc = subprocess.Popen(tsharkTranslate,stdout=open("result.txt", "wb"))

Regards
Kurt

answered 25 Sep '13, 13:32

Kurt%20Knochner's gravatar image

Kurt Knochner ♦
24.8k1039237
accept rate: 15%

edited 25 Sep '13, 13:34

That works! I did it the way I did out of ignorance, which thanks to your answer, is a little less than it was before.

Thanks much.

(25 Sep '13, 14:04) ozymandias

good.

Hint: If a supplied answer resolves your question can you please "accept" it by clicking the checkmark icon next to it. This highlights good answers for the benefit of subsequent users with the same or similar questions.

(25 Sep '13, 14:06) Kurt Knochner ♦